CVE-2021-20649 - Vulnerability Details - OpenCVE

ELECOM WRC-300FEBK-S contains an improper certificate validation vulnerability. Via a man-in-the-middle attack, an attacker may alter the communication response. As a result, an arbitrary OS command may be executed on the affected device.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

The EPSS score is 0.001.

Key SSVC decision points have not yet been added.

Vendors	Products
Elecom	Wrc-300febk-s Wrc-300febk-s Firmware

Configuration 1 [-]

AND

cpe:2.3:o:elecom:wrc-300febk-s_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:elecom:wrc-300febk-s:-:*:*:*:*:*:*:*

No data.

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2021-8067	ELECOM WRC-300FEBK-S contains an improper certificate validation vulnerability. Via a man-in-the-middle attack, an attacker may alter the communication response. As a result, an arbitrary OS command may be executed on the affected device.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://jvn.jp/en/jp/JVN47580234/index.html
https://www.elecom.co.jp/news/security/20210126-01/

History

No history.

MITRE

Status: PUBLISHED

Assigner: jpcert

Published: 2021-02-12T06:15:50

Updated: 2024-08-03T17:45:45.385Z

Reserved: 2020-12-17T00:00:00

Link: CVE-2021-20649

Vulnrichment

No data.

NVD

Status : Modified

Published: 2021-02-12T07:15:15.387

Modified: 2024-11-21T05:46:56.593

Link: CVE-2021-20649

Redhat

No data.

OpenCVE Enrichment

No data.

{"containers": {"cna": {"affected": [{"product": "WRC-300FEBK-S", "vendor": "ELECOM CO.,LTD.", "versions": [{"status": "affected", "version": "WRC-300FEBK-S"}]}], "descriptions": [{"lang": "en", "value": "ELECOM WRC-300FEBK-S contains an improper certificate validation vulnerability. Via a man-in-the-middle attack, an attacker may alter the communication response. As a result, an arbitrary OS command may be executed on the affected device."}], "problemTypes": [{"descriptions": [{"description": "Improper certificate validation", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2021-02-12T06:15:50", "orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "shortName": "jpcert"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.elecom.co.jp/news/security/20210126-01/"}, {"tags": ["x_refsource_MISC"], "url": "https://jvn.jp/en/jp/JVN47580234/index.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "vultures@jpcert.or.jp", "ID": "CVE-2021-20649", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "WRC-300FEBK-S", "version": {"version_data": [{"version_value": "WRC-300FEBK-S"}]}}]}, "vendor_name": "ELECOM CO.,LTD."}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "ELECOM WRC-300FEBK-S contains an improper certificate validation vulnerability. Via a man-in-the-middle attack, an attacker may alter the communication response. As a result, an arbitrary OS command may be executed on the affected device."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Improper certificate validation"}]}]}, "references": {"reference_data": [{"name": "https://www.elecom.co.jp/news/security/20210126-01/", "refsource": "MISC", "url": "https://www.elecom.co.jp/news/security/20210126-01/"}, {"name": "https://jvn.jp/en/jp/JVN47580234/index.html", "refsource": "MISC", "url": "https://jvn.jp/en/jp/JVN47580234/index.html"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T17:45:45.385Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.elecom.co.jp/news/security/20210126-01/"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://jvn.jp/en/jp/JVN47580234/index.html"}]}]}, "cveMetadata": {"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "assignerShortName": "jpcert", "cveId": "CVE-2021-20649", "datePublished": "2021-02-12T06:15:50", "dateReserved": "2020-12-17T00:00:00", "dateUpdated": "2024-08-03T17:45:45.385Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:elecom:wrc-300febk-s_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "BBD41BED-6FB3-4F62-BFCC-C73927375E9E", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:elecom:wrc-300febk-s:-:*:*:*:*:*:*:*", "matchCriteriaId": "77EFC8AE-44A0-4ED5-AC46-13CA56313EEB", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "ELECOM WRC-300FEBK-S contains an improper certificate validation vulnerability. Via a man-in-the-middle attack, an attacker may alter the communication response. As a result, an arbitrary OS command may be executed on the affected device."}, {"lang": "es", "value": "ELECOM WRC-300FEBK-S, contiene una vulnerabilidad de comprobaci\u00f3n de certificado inapropiada. Mediante un ataque man-in-the-middle, un atacante puede alterar la respuesta de comunicaci\u00f3n. Como resultado, se puede ejecutar un comando arbitrario del sistema operativo en el dispositivo afectado"}], "id": "CVE-2021-20649", "lastModified": "2024-11-21T05:46:56.593", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 2.5, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-02-12T07:15:15.387", "references": [{"source": "vultures@jpcert.or.jp", "tags": ["Third Party Advisory"], "url": "https://jvn.jp/en/jp/JVN47580234/index.html"}, {"source": "vultures@jpcert.or.jp", "tags": ["Vendor Advisory"], "url": "https://www.elecom.co.jp/news/security/20210126-01/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://jvn.jp/en/jp/JVN47580234/index.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://www.elecom.co.jp/news/security/20210126-01/"}], "sourceIdentifier": "vultures@jpcert.or.jp", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-295"}], "source": "nvd@nist.gov", "type": "Primary"}]}